10 Pitfalls in Creating a Successful Business Continuity Plan

By Tom Abruzzo

In these tough economic times, when the stock market had its worst downslide since 1931 and we are awaiting a national stimulus package, businesses are shifting gears. They are tapping employees in long-term strategic positions to concentrate on short-term revenue-producing functions.

Yet, regardless of the grim outlook, the risk of disaster doesn’t lessen — natural disasters, power outages, malicious acts, etc. still occur. If disaster does strike, companies are still beholden to stockholders, key vendors and clients to keep them supplied and operating. Every company’s survival depends on that.

In putting together a smart Business Continuity Plan (BCP), we’ve found several common missteps that can hinder a successful plan. Here are 10 pitfalls and recommended ways to overcome them.

#1 Giving a Plan Lip Service
Because the business’ staff is asked to concentrate on revenue-producing jobs, they shift focus away from disaster and continuity planning. While they know planning is important, other seemly more important tasks vie for their attention, diverting limited resources they may have. Their underlying rationalization is: why assign scarce resources to plan for something that may not happen?

Recommendation: Every company needs a plan. Participants need to be aware of their roles and responsibilities in the plan, and every plan needs to be kept up to date. Providing lip service is actually a “dis-service,” and equivalent to not planning at all.

#2 Overemphasis on Risk Threat Assessment (RTA)
Before planning, risks must be identified. The value of working through the RTA process is to access risks/threats to your own business, and to determine which risks are most probable — and those on which you could have most impact, either to mitigate the risk or to lessen the odds of it occurring. Without a thorough understanding of your organization, you risk making unrealistic recovery decisions. Most businesses recognize this importance.

However, we’ve found many get so caught up in the minutia of assessing the risks that they never complete the plan. No one can eliminate all the risks that can cause a disaster — power outages, natural disasters, pandemics, etc. If these are unpreventable, why waste time analyzing them, including their probabilities, consequences, mitigation strategies, resulting implementation costs, etc.?

Recommendation: The key in BCP is to plan for the result of the threat, not the threat itself.

#3 Getting bogged down in the BIA
Developing a Business Impact Analysis (BIA) will assist in determining the BCP objectives. Two-pronged, these include the Recovery Time Objectives (RTOs), which provide the target timeframes to recover business and/or application processes following an outage, and the Recovery Point Objectives (RPOs), which provide the point in time in which systems and data must be recovered after an outage, e.g., end of previous day’s processing, etc.  Despite the importance of determining proper recovery times or recovery points, splitting hairs over prioritizing functions and exact recovery timeframes will delay the real work — developing the plan.

Recommendation: Make your best estimate of a realistic recovery time and point objectives for your business, and go with those targets.

#4 Insufficient Scrutiny of Your Supply Chain
If a mission critical vendor or partner had a disaster, would that cause a disaster for your company? In order for any firm to survive, they need goods and services to which they provide their own value-added service. If that is cut off, they can’t operate their business.

Recommendation: Scrutinize your key vendors and make certain they have a business continuity plan in place.

# 5 Making the Assumption Your Vendors Will Help You
Going hand in hand with lack of scrutiny, many people assume their key vendors and partners will be there for them in time of disaster, but oftentimes this is a false sense of security and results in lack of planning for supply chain risk. For instance, do you believe that your service vendor will fix your air conditioning or provide emergency fuel if you need it during a crisis? Will your software vendors provide you with the software keys required to run their software on alternate computers? Will your equipment vendors ship mission critical equipment within the timeframe you assume? Are you willing to bet your business on any of these assumptions?

Recommendation: Get your key vendors and partners to commit and confirm they will supply you what you need, i.e., the fuel, software keys, whatever is crucial to your business operations.

#6 Combining a Pandemic Plan with a Traditional BCP
Planners sometimes try to lump a conventional plan, like a natural disaster or power outage, with a health epidemic plan, but they are incongruent issues: One is a people problem, the other a building problem. In the latter, there’s no place to work. In a pandemic situation, the facility is completely accessible…but there are limited personnel to operate it.

A pandemic plan assumes a high percentage of staff absenteeism. In addition to actually being ill, this high percentage can be due to a number of factors affecting the employee, such as caring for school-age children as a result of all the schools being closed, fear of becoming sick, caring for someone who is ill, psychological effects of seeing so much sickness and death (this type of situation amplifies nervous breakdowns, suicides, etc.), or they may already be dead.

Recommendation: Separate and treat these as two different issues and plans.

#7 Overemphasis on Documentation
The tendency in the planning process is to publish too much plan documentation. You don’t need to publish by the pound! Remember, people practically forget how to tie their shoelaces in a crisis.

Recommendation: Rather than require that plan participants search through one or more large three-ring binders, the best tactic to get them off the ground is a BCP wallet card. This credit card sized tool should contain just the most salient information, such as the disaster alert hot line number; emergency operations center location information; key recovery team personnel information; recovery facility information; and a reminder that safety is first and to call 911 in an emergency. For sure, you need supporting data and call lists, and those nitty-gritty details should be in that three-ring binder.

#8 Untrained Plan Participants
The planning process may be more important than the resulting plan manual/document. Because employees are often reluctant to pick up the large binder to brush up on procedures, it is crucial that there is ongoing staff awareness of the plan. The documentation is available as a reference guide, but it’s just that, a guideline, and for various contingencies. When people are agitated during a crisis and need to act immediately, how much value is the written plan going to bring them?

Recommendation: Create a document to use as a reference guide, but have employees memorize key information. This includes locations of Emergency Operations Centers; whom or where they should call; information that the wallet card contains; and the recovery teams the plan participant is involved with for the BCP.

# 9 Premature Surprise Exercises
The purpose of conducting exercises is to strengthen the plan. If the details in the plan are immature, springing a “pop quiz” on employees will only cause confusion and failure.

Recommendation: A plan should be thought of as a reference document, not something to be entirely memorized — that is counterproductive to strengthening. Therefore, an “open book” test will work well if the plan is in early stages. As the plan progresses, employees can memorize certain salient points so they know instinctively the overall course of action in a crisis. The objective of a test is not to fool people but to exercise and strengthen the plan.

# 10 Lack of Maintenance
Change is the norm in a business environment. Thus, a business’ plan will change with each update of the business processes, equipment, change of personnel, etc., and the BCP is only as current as the last update made to it. Consequently a maintenance program must identify organizational changes that may require plan updates. With businesses today wanting to decentralize their information, it is time-consuming and cumbersome to update this information manually.

Recommendation: Automate this task with software. A Business Continuity Management (BCM) software tool gives plan owners the ability to easily update their own planning data through a simple online system, and provides the ability for administrators to see at a glance the status of the planning efforts, including everyone’s functions, when training was performed, the results of exercises and drills, etc. It is also a great asset to develop plan disclosure and certification statements for your clients, employees, partners/vendors and prospects.

Conclusion
In the end, smart managers continue to develop and evolve their continuity plans regardless of the economic climate. If a disaster occurs relating to your business, you will be held accountable to your employees, clients and stockholders. Now as much as ever, the statement holds true: “The only thing harder than planning is explaining why you didn't.”

Tom Abruzzo has been specializing in business continuity management and contingency planning for more than 30 years. He is the president and founder of TAMP Systems, which is a DRI Certified Business Continuity Vendor (CBCV). He is also the original developer of the planning software product named the Disaster Recovery System (DRS™), which decreases manual efforts to create, manage, and keep disaster recovery and business continuity plans up-to-date. In 2005, Tom was inducted into the CPM Hall of Fame. CPM is an independent organization that recognizes significant contributions in the field of business continuity. He can be reached at tabruzzo@tampsystems.com.